@naturalcycles/nodejs-lib 12.104.0 → 13.0.1

package/dist/bin/secrets-decrypt.js

@@ -6,8 +6,8 @@ const colors_1 = require("../colors/colors");
 const runScript_1 = require("../script/runScript");
 const secrets_decrypt_util_1 = require("../secret/secrets-decrypt.util");
 (0, runScript_1.runScript)(() => {
-    const { dir, file, encKey, del, jsonMode } = getDecryptCLIOptions();
-    (0, secrets_decrypt_util_1.secretsDecrypt)(dir, file, encKey, del, jsonMode);
+    const { dir, file, encKeyBuffer, del, jsonMode } = getDecryptCLIOptions();
+    (0, secrets_decrypt_util_1.secretsDecrypt)(dir, file, encKeyBuffer, del, jsonMode);
 });
 function getDecryptCLIOptions() {
     require('dotenv').config();
@@ -24,7 +24,7 @@ function getDecryptCLIOptions() {
         },
         encKey: {
             type: 'string',
-            desc: 'Encryption key',
+            desc: 'Encryption key as base64 encoded string',
             // demandOption: true,
             // default: process.env.SECRET_ENCRYPTION_KEY!,
         },
@@ -56,6 +56,7 @@ function getDecryptCLIOptions() {
             throw new Error(`encKey is required. Can be provided as --encKey or env.SECRET_ENCRYPTION_KEY (see readme.md)`);
         }
     }
+    const encKeyBuffer = Buffer.from(encKey, 'base64');
     // `as any` because @types/yargs can't handle string[] type properly
-    return { dir: dir, file, encKey, del, jsonMode };
+    return { dir: dir, file, encKeyBuffer, del, jsonMode };
 }

package/dist/bin/secrets-encrypt.js

@@ -6,8 +6,8 @@ const colors_1 = require("../colors/colors");
 const runScript_1 = require("../script/runScript");
 const secrets_encrypt_util_1 = require("../secret/secrets-encrypt.util");
 (0, runScript_1.runScript)(() => {
-    const { pattern, file, encKey, del, jsonMode } = getEncryptCLIOptions();
-    (0, secrets_encrypt_util_1.secretsEncrypt)(pattern, file, encKey, del, jsonMode);
+    const { pattern, file, encKeyBuffer, del, jsonMode } = getEncryptCLIOptions();
+    (0, secrets_encrypt_util_1.secretsEncrypt)(pattern, file, encKeyBuffer, del, jsonMode);
 });
 function getEncryptCLIOptions() {
     require('dotenv').config();
@@ -15,7 +15,7 @@ function getEncryptCLIOptions() {
         pattern: {
             type: 'string',
             array: true,
-            desc: 'Globby pattern for secrets. Can be many.',
+            desc: 'Globby pattern for secrets. Can be multiple.',
             // demandOption: true,
             default: './secret/**',
         },
@@ -25,7 +25,7 @@ function getEncryptCLIOptions() {
         },
         encKey: {
             type: 'string',
-            desc: 'Encryption key',
+            desc: 'Encryption key as base64 encoded string',
             // demandOption: true,
             // default: process.env.SECRET_ENCRYPTION_KEY!,
         },
@@ -58,6 +58,7 @@ function getEncryptCLIOptions() {
             throw new Error(`encKey is required. Can be provided as --encKey or env.SECRET_ENCRYPTION_KEY (see readme.md)`);
         }
     }
+    const encKeyBuffer = Buffer.from(encKey, 'base64');
     // `as any` because @types/yargs can't handle string[] type properly
-    return { pattern: pattern, file, encKey, del, jsonMode };
+    return { pattern: pattern, file, encKeyBuffer, del, jsonMode };
 }

package/dist/fs/fs.util.js

@@ -120,23 +120,27 @@ function _outputFileSync(filePath, data) {
     fs.writeFileSync(filePath, data);
 }
 exports._outputFileSync = _outputFileSync;
+function stringify(data, opt) {
+    // If pretty-printing is enabled (spaces) - also add a newline at the end (to match our prettier config)
+    return JSON.stringify(data, null, opt?.spaces) + (opt?.spaces ? '\n' : '');
+}
 async function _writeJson(filePath, data, opt) {
-    const str = JSON.stringify(data, null, opt?.spaces);
+    const str = stringify(data, opt);
     await fsp.writeFile(filePath, str);
 }
 exports._writeJson = _writeJson;
 function _writeJsonSync(filePath, data, opt) {
-    const str = JSON.stringify(data, null, opt?.spaces);
+    const str = stringify(data, opt);
     fs.writeFileSync(filePath, str);
 }
 exports._writeJsonSync = _writeJsonSync;
 async function _outputJson(filePath, data, opt) {
-    const str = JSON.stringify(data, null, opt?.spaces);
+    const str = stringify(data, opt);
     await _outputFile(filePath, str);
 }
 exports._outputJson = _outputJson;
 function _outputJsonSync(filePath, data, opt) {
-    const str = JSON.stringify(data, null, opt?.spaces);
+    const str = stringify(data, opt);
     _outputFileSync(filePath, str);
 }
 exports._outputJsonSync = _outputJsonSync;

package/dist/secret/secrets-decrypt.util.d.ts

@@ -1,7 +1,8 @@
+/// <reference types="node" />
 export interface DecryptCLIOptions {
     dir: string[];
     file?: string;
-    encKey: string;
+    encKeyBuffer: Buffer;
     del?: boolean;
     jsonMode?: boolean;
 }
@@ -9,4 +10,4 @@ export interface DecryptCLIOptions {
  * Decrypts all files in given directory (*.enc), saves decrypted versions without ending `.enc`.
  * Using provided encKey.
  */
-export declare function secretsDecrypt(dir: string[], file: string | undefined, encKey: string, del?: boolean, jsonMode?: boolean): void;
+export declare function secretsDecrypt(dir: string[], file: string | undefined, encKeyBuffer: Buffer, del?: boolean, jsonMode?: boolean): void;

package/dist/secret/secrets-decrypt.util.js

@@ -8,13 +8,15 @@ const colors_1 = require("../colors/colors");
 const index_1 = require("../index");
 const crypto_util_1 = require("../security/crypto.util");
 // Debug it like this:
-// yarn tsn ./src/bin/secrets-decrypt.ts --file ./src/test/secrets2.json --jsonMode --encKey MPd/30v0Zcce4I5mfwF4NSXrpTYD9OO4/fIqw6rjNiWp2b1GN9Xm8nQZqr7c9kKSsATqtwe0HkJFDUGzDSow44GDgDICgB1u1rGa5eNqtxnOVGRR+lIinCvN/1OnpjzeoJy2bStXPj1DKx8anMqgA8SoOZdlWRNSkEeZlolru8Ey0ujZo22dfwMyRIEniLcqvBm/iMiAkV82fn/TxYw05GarAoJcrfPeDBvuOXsARnMCyX18qTFL0iojxeTU8JHxr8TX3eXDq9cJJmridEKlwRIAzADwtetI4ttlP8lwJj1pmgsBIN3iqYssZYCkZ3HMV6BoEc7LTI5z/45rKrAT1A==
 // yarn tsn ./src/bin/secrets-encrypt.ts --file ./src/test/secrets2.plain.json --jsonMode --encKey MPd/30v0Zcce4I5mfwF4NSXrpTYD9OO4/fIqw6rjNiWp2b1GN9Xm8nQZqr7c9kKSsATqtwe0HkJFDUGzDSow44GDgDICgB1u1rGa5eNqtxnOVGRR+lIinCvN/1OnpjzeoJy2bStXPj1DKx8anMqgA8SoOZdlWRNSkEeZlolru8Ey0ujZo22dfwMyRIEniLcqvBm/iMiAkV82fn/TxYw05GarAoJcrfPeDBvuOXsARnMCyX18qTFL0iojxeTU8JHxr8TX3eXDq9cJJmridEKlwRIAzADwtetI4ttlP8lwJj1pmgsBIN3iqYssZYCkZ3HMV6BoEc7LTI5z/45rKrAT1A==
+// yarn tsn ./src/bin/secrets-decrypt.ts --file ./src/test/secrets2.json --jsonMode --encKey MPd/30v0Zcce4I5mfwF4NSXrpTYD9OO4/fIqw6rjNiWp2b1GN9Xm8nQZqr7c9kKSsATqtwe0HkJFDUGzDSow44GDgDICgB1u1rGa5eNqtxnOVGRR+lIinCvN/1OnpjzeoJy2bStXPj1DKx8anMqgA8SoOZdlWRNSkEeZlolru8Ey0ujZo22dfwMyRIEniLcqvBm/iMiAkV82fn/TxYw05GarAoJcrfPeDBvuOXsARnMCyX18qTFL0iojxeTU8JHxr8TX3eXDq9cJJmridEKlwRIAzADwtetI4ttlP8lwJj1pmgsBIN3iqYssZYCkZ3HMV6BoEc7LTI5z/45rKrAT1A==
+// yarn tsn ./src/bin/secrets-encrypt.ts --file ./src/test/secrets.json -encKey MPd/30v0Zcce4I5mfwF4NSXrpTYD9OO4/fIqw6rjNiWp2b1GN9Xm8nQZqr7c9kKSsATqtwe0HkJFDUGzDSow44GDgDICgB1u1rGa5eNqtxnOVGRR+lIinCvN/1OnpjzeoJy2bStXPj1DKx8anMqgA8SoOZdlWRNSkEeZlolru8Ey0ujZo22dfwMyRIEniLcqvBm/iMiAkV82fn/TxYw05GarAoJcrfPeDBvuOXsARnMCyX18qTFL0iojxeTU8JHxr8TX3eXDq9cJJmridEKlwRIAzADwtetI4ttlP8lwJj1pmgsBIN3iqYssZYCkZ3HMV6BoEc7LTI5z/45rKrAT1A==
+// yarn tsn ./src/bin/secrets-decrypt.ts --file ./src/test/secrets.json.enc -encKey MPd/30v0Zcce4I5mfwF4NSXrpTYD9OO4/fIqw6rjNiWp2b1GN9Xm8nQZqr7c9kKSsATqtwe0HkJFDUGzDSow44GDgDICgB1u1rGa5eNqtxnOVGRR+lIinCvN/1OnpjzeoJy2bStXPj1DKx8anMqgA8SoOZdlWRNSkEeZlolru8Ey0ujZo22dfwMyRIEniLcqvBm/iMiAkV82fn/TxYw05GarAoJcrfPeDBvuOXsARnMCyX18qTFL0iojxeTU8JHxr8TX3eXDq9cJJmridEKlwRIAzADwtetI4ttlP8lwJj1pmgsBIN3iqYssZYCkZ3HMV6BoEc7LTI5z/45rKrAT1A==
 /**
  * Decrypts all files in given directory (*.enc), saves decrypted versions without ending `.enc`.
  * Using provided encKey.
  */
-function secretsDecrypt(dir, file, encKey, del = false, jsonMode = false) {
+function secretsDecrypt(dir, file, encKeyBuffer, del = false, jsonMode = false) {
     // If `file` is provided - only this one file is used
     const patterns = file ? [file] : dir.map(d => `${d}/**/*.enc`);
     const filenames = index_1.fastGlob.sync(patterns);
@@ -24,12 +26,12 @@ function secretsDecrypt(dir, file, encKey, del = false, jsonMode = false) {
             (0, js_lib_1._assert)(filename.endsWith('.json'), `${path.basename(filename)} MUST end with '.json'`);
             (0, js_lib_1._assert)(!filename.endsWith('.plain.json'), `${path.basename(filename)} MUST NOT end with '.plain.json'`);
             plainFilename = filename.replace('.json', '.plain.json');
-            const json = (0, crypto_util_1.decryptObject)((0, index_1._readJsonSync)(filename), encKey);
+            const json = (0, crypto_util_1.decryptObject)((0, index_1._readJsonSync)(filename), encKeyBuffer);
             (0, index_1._writeJsonSync)(plainFilename, json, { spaces: 2 });
         }
         else {
             const enc = fs.readFileSync(filename);
-            const plain = (0, crypto_util_1.decryptRandomIVBuffer)(enc, encKey);
+            const plain = (0, crypto_util_1.decryptRandomIVBuffer)(enc, encKeyBuffer);
             plainFilename = filename.slice(0, filename.length - '.enc'.length);
             fs.writeFileSync(plainFilename, plain);
         }

package/dist/secret/secrets-encrypt.util.d.ts

@@ -1,7 +1,8 @@
+/// <reference types="node" />
 export interface EncryptCLIOptions {
     pattern: string[];
     file?: string;
-    encKey: string;
+    encKeyBuffer: Buffer;
     del?: boolean;
     jsonMode?: boolean;
 }
@@ -9,4 +10,4 @@ export interface EncryptCLIOptions {
  * Encrypts all files in given directory (except *.enc), saves encrypted versions as filename.ext.enc.
  * Using provided encKey.
  */
-export declare function secretsEncrypt(pattern: string[], file: string | undefined, encKey: string, del?: boolean, jsonMode?: boolean): void;
+export declare function secretsEncrypt(pattern: string[], file: string | undefined, encKeyBuffer: Buffer, del?: boolean, jsonMode?: boolean): void;

package/dist/secret/secrets-encrypt.util.js

@@ -11,7 +11,7 @@ const crypto_util_1 = require("../security/crypto.util");
  * Encrypts all files in given directory (except *.enc), saves encrypted versions as filename.ext.enc.
  * Using provided encKey.
  */
-function secretsEncrypt(pattern, file, encKey, del = false, jsonMode = false) {
+function secretsEncrypt(pattern, file, encKeyBuffer, del = false, jsonMode = false) {
     const patterns = file
         ? [file]
         : [
@@ -24,12 +24,12 @@ function secretsEncrypt(pattern, file, encKey, del = false, jsonMode = false) {
         if (jsonMode) {
             (0, js_lib_1._assert)(filename.endsWith('.plain.json'), `${path.basename(filename)} MUST end with '.plain.json'`);
             encFilename = filename.replace('.plain', '');
-            const json = (0, crypto_util_1.encryptObject)((0, index_1._readJsonSync)(filename), encKey);
+            const json = (0, crypto_util_1.encryptObject)((0, index_1._readJsonSync)(filename), encKeyBuffer);
             (0, index_1._writeJsonSync)(encFilename, json, { spaces: 2 });
         }
         else {
             const plain = fs.readFileSync(filename);
-            const enc = (0, crypto_util_1.encryptRandomIVBuffer)(plain, encKey);
+            const enc = (0, crypto_util_1.encryptRandomIVBuffer)(plain, encKeyBuffer);
             encFilename = `${filename}.enc`;
             fs.writeFileSync(encFilename, enc);
         }

package/dist/security/crypto.util.d.ts

@@ -1,24 +1,34 @@
 /// <reference types="node" />
 import { Base64String, StringMap } from '@naturalcycles/js-lib';
 /**
- * Using aes-256-cbc
+ * Using aes-256-cbc.
  */
-export declare function encryptRandomIVBuffer(input: Buffer, secretKeyBase64: Base64String): Buffer;
+export declare function encryptRandomIVBuffer(input: Buffer, secretKeyBuffer: Buffer): Buffer;
 /**
- * Using aes-256-cbc
+ * Using aes-256-cbc.
  */
-export declare function decryptRandomIVBuffer(input: Buffer, secretKeyBase64: Base64String): Buffer;
+export declare function decryptRandomIVBuffer(input: Buffer, secretKeyBuffer: Buffer): Buffer;
 /**
- * Decrypts all object values.
- * Returns object with decrypted values.
+ * Decrypts all object values (base64 strings).
+ * Returns object with decrypted values (utf8 strings).
  */
-export declare function decryptObject(obj: StringMap<Base64String>, secretKey: string): StringMap;
-export declare function encryptObject(obj: StringMap, secretKey: string): StringMap<Base64String>;
+export declare function decryptObject(obj: StringMap<Base64String>, secretKeyBuffer: Buffer): StringMap;
 /**
- * Using aes-256-cbc
+ * Encrypts all object values (utf8 strings).
+ * Returns object with encrypted values (base64 strings).
  */
-export declare function decryptString(str: Base64String, secretKey: string): string;
+export declare function encryptObject(obj: StringMap, secretKeyBuffer: Buffer): StringMap<Base64String>;
 /**
- * Using aes-256-cbc
+ * Using aes-256-cbc.
+ *
+ * Input is base64 string.
+ * Output is utf8 string.
  */
-export declare function encryptString(str: string, secretKey: string): Base64String;
+export declare function decryptString(str: Base64String, secretKeyBuffer: Buffer): string;
+/**
+ * Using aes-256-cbc.
+ *
+ * Input is utf8 string.
+ * Output is base64 string.
+ */
+export declare function encryptString(str: string, secretKeyBuffer: Buffer): Base64String;

package/dist/security/crypto.util.js

@@ -6,11 +6,11 @@ const js_lib_1 = require("@naturalcycles/js-lib");
 const hash_util_1 = require("./hash.util");
 const algorithm = 'aes-256-cbc';
 /**
- * Using aes-256-cbc
+ * Using aes-256-cbc.
  */
-function encryptRandomIVBuffer(input, secretKeyBase64) {
-    // md5 to match aes-256 key length of 32 bytes
-    const key = (0, hash_util_1.md5)(Buffer.from(secretKeyBase64, 'base64'));
+function encryptRandomIVBuffer(input, secretKeyBuffer) {
+    // sha256 to match aes-256 key length
+    const key = (0, hash_util_1.sha256AsBuffer)(secretKeyBuffer);
     // Random iv to achieve non-deterministic encryption (but deterministic decryption)
     const iv = crypto.randomBytes(16);
     const cipher = crypto.createCipheriv(algorithm, key, iv);
@@ -18,11 +18,11 @@ function encryptRandomIVBuffer(input, secretKeyBase64) {
 }
 exports.encryptRandomIVBuffer = encryptRandomIVBuffer;
 /**
- * Using aes-256-cbc
+ * Using aes-256-cbc.
  */
-function decryptRandomIVBuffer(input, secretKeyBase64) {
-    // md5 to match aes-256 key length of 32 bytes
-    const key = (0, hash_util_1.md5)(Buffer.from(secretKeyBase64, 'base64'));
+function decryptRandomIVBuffer(input, secretKeyBuffer) {
+    // sha256 to match aes-256 key length
+    const key = (0, hash_util_1.sha256AsBuffer)(secretKeyBuffer);
     // iv is first 16 bytes of encrypted buffer, the rest is payload
     const iv = input.subarray(0, 16);
     const payload = input.subarray(16);
@@ -31,11 +31,11 @@ function decryptRandomIVBuffer(input, secretKeyBase64) {
 }
 exports.decryptRandomIVBuffer = decryptRandomIVBuffer;
 /**
- * Decrypts all object values.
- * Returns object with decrypted values.
+ * Decrypts all object values (base64 strings).
+ * Returns object with decrypted values (utf8 strings).
  */
-function decryptObject(obj, secretKey) {
-    const { key, iv } = getCryptoParams(secretKey);
+function decryptObject(obj, secretKeyBuffer) {
+    const { key, iv } = getCryptoParams(secretKeyBuffer);
     const r = {};
     (0, js_lib_1._stringMapEntries)(obj).forEach(([k, v]) => {
         const decipher = crypto.createDecipheriv(algorithm, key, iv);
@@ -44,8 +44,12 @@ function decryptObject(obj, secretKey) {
     return r;
 }
 exports.decryptObject = decryptObject;
-function encryptObject(obj, secretKey) {
-    const { key, iv } = getCryptoParams(secretKey);
+/**
+ * Encrypts all object values (utf8 strings).
+ * Returns object with encrypted values (base64 strings).
+ */
+function encryptObject(obj, secretKeyBuffer) {
+    const { key, iv } = getCryptoParams(secretKeyBuffer);
     const r = {};
     (0, js_lib_1._stringMapEntries)(obj).forEach(([k, v]) => {
         const cipher = crypto.createCipheriv(algorithm, key, iv);
@@ -55,25 +59,31 @@ function encryptObject(obj, secretKey) {
 }
 exports.encryptObject = encryptObject;
 /**
- * Using aes-256-cbc
+ * Using aes-256-cbc.
+ *
+ * Input is base64 string.
+ * Output is utf8 string.
  */
-function decryptString(str, secretKey) {
-    const { key, iv } = getCryptoParams(secretKey);
+function decryptString(str, secretKeyBuffer) {
+    const { key, iv } = getCryptoParams(secretKeyBuffer);
     const decipher = crypto.createDecipheriv(algorithm, key, iv);
     return decipher.update(str, 'base64', 'utf8') + decipher.final('utf8');
 }
 exports.decryptString = decryptString;
 /**
- * Using aes-256-cbc
+ * Using aes-256-cbc.
+ *
+ * Input is utf8 string.
+ * Output is base64 string.
  */
-function encryptString(str, secretKey) {
-    const { key, iv } = getCryptoParams(secretKey);
+function encryptString(str, secretKeyBuffer) {
+    const { key, iv } = getCryptoParams(secretKeyBuffer);
     const cipher = crypto.createCipheriv(algorithm, key, iv);
     return cipher.update(str, 'utf8', 'base64') + cipher.final('base64');
 }
 exports.encryptString = encryptString;
-function getCryptoParams(secretKey) {
-    const key = (0, hash_util_1.md5)(secretKey);
-    const iv = (0, hash_util_1.md5)(secretKey + key).slice(0, 16);
+function getCryptoParams(secretKeyBuffer) {
+    const key = (0, hash_util_1.sha256AsBuffer)(secretKeyBuffer);
+    const iv = (0, hash_util_1.md5AsBuffer)(Buffer.concat([secretKeyBuffer, key]));
     return { key, iv };
 }

package/dist/security/secret.util.js

@@ -48,7 +48,8 @@ function loadSecretsFromEncryptedJsonFile(filePath, secretEncryptionKey) {
     let secrets;
     if (secretEncryptionKey) {
         const buf = fs.readFileSync(filePath);
-        const plain = (0, crypto_util_1.decryptRandomIVBuffer)(buf, secretEncryptionKey).toString('utf8');
+        const encKeyBuffer = Buffer.from(secretEncryptionKey, 'base64');
+        const plain = (0, crypto_util_1.decryptRandomIVBuffer)(buf, encKeyBuffer).toString('utf8');
         secrets = JSON.parse(plain);
     }
     else {
@@ -69,7 +70,8 @@ function loadSecretsFromEncryptedJsonFileValues(filePath, secretEncryptionKey) {
     (0, js_lib_1._assert)(fs.existsSync(filePath), `loadSecretsFromEncryptedJsonFileValues() cannot load from path: ${filePath}`);
     let secrets = JSON.parse(fs.readFileSync(filePath, 'utf8'));
     if (secretEncryptionKey) {
-        secrets = (0, crypto_util_1.decryptObject)(secrets, secretEncryptionKey);
+        const encKeyBuffer = Buffer.from(secretEncryptionKey, 'base64');
+        secrets = (0, crypto_util_1.decryptObject)(secrets, encKeyBuffer);
     }
     Object.entries(secrets).forEach(([k, v]) => (secretMap[k.toUpperCase()] = v));
     loaded = true;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@naturalcycles/nodejs-lib",
-  "version": "12.104.0",
+  "version": "13.0.1",
   "scripts": {
     "prepare": "husky install",
     "docs-serve": "vuepress dev docs",

package/readme.md

@@ -8,7 +8,7 @@
 [![Maintainability](https://api.codeclimate.com/v1/badges/119a3b4735c4ed81cf84/maintainability)](https://codeclimate.com/github/NaturalCycles/nodejs-lib/maintainability)
 [![Test Coverage](https://api.codeclimate.com/v1/badges/119a3b4735c4ed81cf84/test_coverage)](https://codeclimate.com/github/NaturalCycles/nodejs-lib/test_coverage)
 [![code style: prettier](https://img.shields.io/badge/code_style-prettier-ff69b4.svg?style=flat-square)](https://github.com/prettier/prettier)
-[![Actions](https://github.com/NaturalCycles/nodejs-lib/workflows/default/badge.svg)](https://github.com/NaturalCycles/nodejs-lib/actions)
+[![Actions](https://github.com/NaturalCycles/nodejs-lib/workflows/ci/badge.svg)](https://github.com/NaturalCycles/nodejs-lib/actions)
 
 # [Documentation](https://naturalcycles.github.io/nodejs-lib/)
 

package/src/bin/secrets-decrypt.ts

@@ -6,9 +6,9 @@ import { runScript } from '../script/runScript'
 import { DecryptCLIOptions, secretsDecrypt } from '../secret/secrets-decrypt.util'
 
 runScript(() => {
-  const { dir, file, encKey, del, jsonMode } = getDecryptCLIOptions()
+  const { dir, file, encKeyBuffer, del, jsonMode } = getDecryptCLIOptions()
 
-  secretsDecrypt(dir, file, encKey, del, jsonMode)
+  secretsDecrypt(dir, file, encKeyBuffer, del, jsonMode)
 })
 
 function getDecryptCLIOptions(): DecryptCLIOptions {
@@ -27,7 +27,7 @@ function getDecryptCLIOptions(): DecryptCLIOptions {
     },
     encKey: {
       type: 'string',
-      desc: 'Encryption key',
+      desc: 'Encryption key as base64 encoded string',
       // demandOption: true,
       // default: process.env.SECRET_ENCRYPTION_KEY!,
     },
@@ -63,6 +63,8 @@ function getDecryptCLIOptions(): DecryptCLIOptions {
     }
   }
 
+  const encKeyBuffer = Buffer.from(encKey, 'base64')
+
   // `as any` because @types/yargs can't handle string[] type properly
-  return { dir: dir as any, file, encKey, del, jsonMode }
+  return { dir: dir as any, file, encKeyBuffer, del, jsonMode }
 }

package/src/bin/secrets-encrypt.ts

@@ -6,9 +6,9 @@ import { runScript } from '../script/runScript'
 import { EncryptCLIOptions, secretsEncrypt } from '../secret/secrets-encrypt.util'
 
 runScript(() => {
-  const { pattern, file, encKey, del, jsonMode } = getEncryptCLIOptions()
+  const { pattern, file, encKeyBuffer, del, jsonMode } = getEncryptCLIOptions()
 
-  secretsEncrypt(pattern, file, encKey, del, jsonMode)
+  secretsEncrypt(pattern, file, encKeyBuffer, del, jsonMode)
 })
 
 function getEncryptCLIOptions(): EncryptCLIOptions {
@@ -18,7 +18,7 @@ function getEncryptCLIOptions(): EncryptCLIOptions {
     pattern: {
       type: 'string',
       array: true,
-      desc: 'Globby pattern for secrets. Can be many.',
+      desc: 'Globby pattern for secrets. Can be multiple.',
       // demandOption: true,
       default: './secret/**',
     },
@@ -28,7 +28,7 @@ function getEncryptCLIOptions(): EncryptCLIOptions {
     },
     encKey: {
       type: 'string',
-      desc: 'Encryption key',
+      desc: 'Encryption key as base64 encoded string',
       // demandOption: true,
       // default: process.env.SECRET_ENCRYPTION_KEY!,
     },
@@ -65,6 +65,8 @@ function getEncryptCLIOptions(): EncryptCLIOptions {
     }
   }
 
+  const encKeyBuffer = Buffer.from(encKey, 'base64')
+
   // `as any` because @types/yargs can't handle string[] type properly
-  return { pattern: pattern as any, file, encKey, del, jsonMode }
+  return { pattern: pattern as any, file, encKeyBuffer, del, jsonMode }
 }

package/src/fs/fs.util.ts

@@ -126,23 +126,28 @@ export function _outputFileSync(filePath: string, data: string | Buffer): void {
   fs.writeFileSync(filePath, data)
 }
 
+function stringify(data: any, opt?: JsonOptions): string {
+  // If pretty-printing is enabled (spaces) - also add a newline at the end (to match our prettier config)
+  return JSON.stringify(data, null, opt?.spaces) + (opt?.spaces ? '\n' : '')
+}
+
 export async function _writeJson(filePath: string, data: any, opt?: JsonOptions): Promise<void> {
-  const str = JSON.stringify(data, null, opt?.spaces)
+  const str = stringify(data, opt)
   await fsp.writeFile(filePath, str)
 }
 
 export function _writeJsonSync(filePath: string, data: any, opt?: JsonOptions): void {
-  const str = JSON.stringify(data, null, opt?.spaces)
+  const str = stringify(data, opt)
   fs.writeFileSync(filePath, str)
 }
 
 export async function _outputJson(filePath: string, data: any, opt?: JsonOptions): Promise<void> {
-  const str = JSON.stringify(data, null, opt?.spaces)
+  const str = stringify(data, opt)
   await _outputFile(filePath, str)
 }
 
 export function _outputJsonSync(filePath: string, data: any, opt?: JsonOptions): void {
-  const str = JSON.stringify(data, null, opt?.spaces)
+  const str = stringify(data, opt)
   _outputFileSync(filePath, str)
 }
 

package/src/secret/secrets-decrypt.util.ts

@@ -8,14 +8,17 @@ import { decryptObject, decryptRandomIVBuffer } from '../security/crypto.util'
 export interface DecryptCLIOptions {
   dir: string[]
   file?: string
-  encKey: string
+  encKeyBuffer: Buffer
   del?: boolean
   jsonMode?: boolean
 }
 
 // Debug it like this:
-// yarn tsn ./src/bin/secrets-decrypt.ts --file ./src/test/secrets2.json --jsonMode --encKey MPd/30v0Zcce4I5mfwF4NSXrpTYD9OO4/fIqw6rjNiWp2b1GN9Xm8nQZqr7c9kKSsATqtwe0HkJFDUGzDSow44GDgDICgB1u1rGa5eNqtxnOVGRR+lIinCvN/1OnpjzeoJy2bStXPj1DKx8anMqgA8SoOZdlWRNSkEeZlolru8Ey0ujZo22dfwMyRIEniLcqvBm/iMiAkV82fn/TxYw05GarAoJcrfPeDBvuOXsARnMCyX18qTFL0iojxeTU8JHxr8TX3eXDq9cJJmridEKlwRIAzADwtetI4ttlP8lwJj1pmgsBIN3iqYssZYCkZ3HMV6BoEc7LTI5z/45rKrAT1A==
 // yarn tsn ./src/bin/secrets-encrypt.ts --file ./src/test/secrets2.plain.json --jsonMode --encKey MPd/30v0Zcce4I5mfwF4NSXrpTYD9OO4/fIqw6rjNiWp2b1GN9Xm8nQZqr7c9kKSsATqtwe0HkJFDUGzDSow44GDgDICgB1u1rGa5eNqtxnOVGRR+lIinCvN/1OnpjzeoJy2bStXPj1DKx8anMqgA8SoOZdlWRNSkEeZlolru8Ey0ujZo22dfwMyRIEniLcqvBm/iMiAkV82fn/TxYw05GarAoJcrfPeDBvuOXsARnMCyX18qTFL0iojxeTU8JHxr8TX3eXDq9cJJmridEKlwRIAzADwtetI4ttlP8lwJj1pmgsBIN3iqYssZYCkZ3HMV6BoEc7LTI5z/45rKrAT1A==
+// yarn tsn ./src/bin/secrets-decrypt.ts --file ./src/test/secrets2.json --jsonMode --encKey MPd/30v0Zcce4I5mfwF4NSXrpTYD9OO4/fIqw6rjNiWp2b1GN9Xm8nQZqr7c9kKSsATqtwe0HkJFDUGzDSow44GDgDICgB1u1rGa5eNqtxnOVGRR+lIinCvN/1OnpjzeoJy2bStXPj1DKx8anMqgA8SoOZdlWRNSkEeZlolru8Ey0ujZo22dfwMyRIEniLcqvBm/iMiAkV82fn/TxYw05GarAoJcrfPeDBvuOXsARnMCyX18qTFL0iojxeTU8JHxr8TX3eXDq9cJJmridEKlwRIAzADwtetI4ttlP8lwJj1pmgsBIN3iqYssZYCkZ3HMV6BoEc7LTI5z/45rKrAT1A==
+
+// yarn tsn ./src/bin/secrets-encrypt.ts --file ./src/test/secrets.json -encKey MPd/30v0Zcce4I5mfwF4NSXrpTYD9OO4/fIqw6rjNiWp2b1GN9Xm8nQZqr7c9kKSsATqtwe0HkJFDUGzDSow44GDgDICgB1u1rGa5eNqtxnOVGRR+lIinCvN/1OnpjzeoJy2bStXPj1DKx8anMqgA8SoOZdlWRNSkEeZlolru8Ey0ujZo22dfwMyRIEniLcqvBm/iMiAkV82fn/TxYw05GarAoJcrfPeDBvuOXsARnMCyX18qTFL0iojxeTU8JHxr8TX3eXDq9cJJmridEKlwRIAzADwtetI4ttlP8lwJj1pmgsBIN3iqYssZYCkZ3HMV6BoEc7LTI5z/45rKrAT1A==
+// yarn tsn ./src/bin/secrets-decrypt.ts --file ./src/test/secrets.json.enc -encKey MPd/30v0Zcce4I5mfwF4NSXrpTYD9OO4/fIqw6rjNiWp2b1GN9Xm8nQZqr7c9kKSsATqtwe0HkJFDUGzDSow44GDgDICgB1u1rGa5eNqtxnOVGRR+lIinCvN/1OnpjzeoJy2bStXPj1DKx8anMqgA8SoOZdlWRNSkEeZlolru8Ey0ujZo22dfwMyRIEniLcqvBm/iMiAkV82fn/TxYw05GarAoJcrfPeDBvuOXsARnMCyX18qTFL0iojxeTU8JHxr8TX3eXDq9cJJmridEKlwRIAzADwtetI4ttlP8lwJj1pmgsBIN3iqYssZYCkZ3HMV6BoEc7LTI5z/45rKrAT1A==
 
 /**
  * Decrypts all files in given directory (*.enc), saves decrypted versions without ending `.enc`.
@@ -24,7 +27,7 @@ export interface DecryptCLIOptions {
 export function secretsDecrypt(
   dir: string[],
   file: string | undefined,
-  encKey: string,
+  encKeyBuffer: Buffer,
   del = false,
   jsonMode = false,
 ): void {
@@ -44,12 +47,12 @@ export function secretsDecrypt(
       )
       plainFilename = filename.replace('.json', '.plain.json')
 
-      const json = decryptObject(_readJsonSync(filename), encKey)
+      const json = decryptObject(_readJsonSync(filename), encKeyBuffer)
 
       _writeJsonSync(plainFilename, json, { spaces: 2 })
     } else {
       const enc = fs.readFileSync(filename)
-      const plain = decryptRandomIVBuffer(enc, encKey)
+      const plain = decryptRandomIVBuffer(enc, encKeyBuffer)
       plainFilename = filename.slice(0, filename.length - '.enc'.length)
       fs.writeFileSync(plainFilename, plain)
     }

package/src/secret/secrets-encrypt.util.ts

@@ -8,7 +8,7 @@ import { encryptObject, encryptRandomIVBuffer } from '../security/crypto.util'
 export interface EncryptCLIOptions {
   pattern: string[]
   file?: string
-  encKey: string
+  encKeyBuffer: Buffer
   del?: boolean
   jsonMode?: boolean
 }
@@ -20,7 +20,7 @@ export interface EncryptCLIOptions {
 export function secretsEncrypt(
   pattern: string[],
   file: string | undefined,
-  encKey: string,
+  encKeyBuffer: Buffer,
   del = false,
   jsonMode = false,
 ): void {
@@ -41,12 +41,12 @@ export function secretsEncrypt(
       )
       encFilename = filename.replace('.plain', '')
 
-      const json = encryptObject(_readJsonSync(filename), encKey)
+      const json = encryptObject(_readJsonSync(filename), encKeyBuffer)
 
       _writeJsonSync(encFilename, json, { spaces: 2 })
     } else {
       const plain = fs.readFileSync(filename)
-      const enc = encryptRandomIVBuffer(plain, encKey)
+      const enc = encryptRandomIVBuffer(plain, encKeyBuffer)
       encFilename = `${filename}.enc`
       fs.writeFileSync(encFilename, enc)
     }

package/src/security/crypto.util.ts

@@ -1,15 +1,15 @@
 import * as crypto from 'node:crypto'
 import { _stringMapEntries, Base64String, StringMap } from '@naturalcycles/js-lib'
-import { md5 } from './hash.util'
+import { md5AsBuffer, sha256AsBuffer } from './hash.util'
 
 const algorithm = 'aes-256-cbc'
 
 /**
- * Using aes-256-cbc
+ * Using aes-256-cbc.
  */
-export function encryptRandomIVBuffer(input: Buffer, secretKeyBase64: Base64String): Buffer {
-  // md5 to match aes-256 key length of 32 bytes
-  const key = md5(Buffer.from(secretKeyBase64, 'base64'))
+export function encryptRandomIVBuffer(input: Buffer, secretKeyBuffer: Buffer): Buffer {
+  // sha256 to match aes-256 key length
+  const key = sha256AsBuffer(secretKeyBuffer)
 
   // Random iv to achieve non-deterministic encryption (but deterministic decryption)
   const iv = crypto.randomBytes(16)
@@ -19,11 +19,11 @@ export function encryptRandomIVBuffer(input: Buffer, secretKeyBase64: Base64Stri
 }
 
 /**
- * Using aes-256-cbc
+ * Using aes-256-cbc.
  */
-export function decryptRandomIVBuffer(input: Buffer, secretKeyBase64: Base64String): Buffer {
-  // md5 to match aes-256 key length of 32 bytes
-  const key = md5(Buffer.from(secretKeyBase64, 'base64'))
+export function decryptRandomIVBuffer(input: Buffer, secretKeyBuffer: Buffer): Buffer {
+  // sha256 to match aes-256 key length
+  const key = sha256AsBuffer(secretKeyBuffer)
 
   // iv is first 16 bytes of encrypted buffer, the rest is payload
   const iv = input.subarray(0, 16)
@@ -35,11 +35,11 @@ export function decryptRandomIVBuffer(input: Buffer, secretKeyBase64: Base64Stri
 }
 
 /**
- * Decrypts all object values.
- * Returns object with decrypted values.
+ * Decrypts all object values (base64 strings).
+ * Returns object with decrypted values (utf8 strings).
  */
-export function decryptObject(obj: StringMap<Base64String>, secretKey: string): StringMap {
-  const { key, iv } = getCryptoParams(secretKey)
+export function decryptObject(obj: StringMap<Base64String>, secretKeyBuffer: Buffer): StringMap {
+  const { key, iv } = getCryptoParams(secretKeyBuffer)
 
   const r: StringMap = {}
   _stringMapEntries(obj).forEach(([k, v]) => {
@@ -49,8 +49,12 @@ export function decryptObject(obj: StringMap<Base64String>, secretKey: string):
   return r
 }
 
-export function encryptObject(obj: StringMap, secretKey: string): StringMap<Base64String> {
-  const { key, iv } = getCryptoParams(secretKey)
+/**
+ * Encrypts all object values (utf8 strings).
+ * Returns object with encrypted values (base64 strings).
+ */
+export function encryptObject(obj: StringMap, secretKeyBuffer: Buffer): StringMap<Base64String> {
+  const { key, iv } = getCryptoParams(secretKeyBuffer)
 
   const r: StringMap = {}
   _stringMapEntries(obj).forEach(([k, v]) => {
@@ -61,25 +65,31 @@ export function encryptObject(obj: StringMap, secretKey: string): StringMap<Base
 }
 
 /**
- * Using aes-256-cbc
+ * Using aes-256-cbc.
+ *
+ * Input is base64 string.
+ * Output is utf8 string.
  */
-export function decryptString(str: Base64String, secretKey: string): string {
-  const { key, iv } = getCryptoParams(secretKey)
+export function decryptString(str: Base64String, secretKeyBuffer: Buffer): string {
+  const { key, iv } = getCryptoParams(secretKeyBuffer)
   const decipher = crypto.createDecipheriv(algorithm, key, iv)
   return decipher.update(str, 'base64', 'utf8') + decipher.final('utf8')
 }
 
 /**
- * Using aes-256-cbc
+ * Using aes-256-cbc.
+ *
+ * Input is utf8 string.
+ * Output is base64 string.
  */
-export function encryptString(str: string, secretKey: string): Base64String {
-  const { key, iv } = getCryptoParams(secretKey)
+export function encryptString(str: string, secretKeyBuffer: Buffer): Base64String {
+  const { key, iv } = getCryptoParams(secretKeyBuffer)
   const cipher = crypto.createCipheriv(algorithm, key, iv)
   return cipher.update(str, 'utf8', 'base64') + cipher.final('base64')
 }
 
-function getCryptoParams(secretKey: string): { key: string; iv: string } {
-  const key = md5(secretKey)
-  const iv = md5(secretKey + key).slice(0, 16)
+function getCryptoParams(secretKeyBuffer: Buffer): { key: Buffer; iv: Buffer } {
+  const key = sha256AsBuffer(secretKeyBuffer)
+  const iv = md5AsBuffer(Buffer.concat([secretKeyBuffer, key]))
   return { key, iv }
 }

package/src/security/secret.util.ts

@@ -62,7 +62,8 @@ export function loadSecretsFromEncryptedJsonFile(
 
   if (secretEncryptionKey) {
     const buf = fs.readFileSync(filePath)
-    const plain = decryptRandomIVBuffer(buf, secretEncryptionKey).toString('utf8')
+    const encKeyBuffer = Buffer.from(secretEncryptionKey, 'base64')
+    const plain = decryptRandomIVBuffer(buf, encKeyBuffer).toString('utf8')
     secrets = JSON.parse(plain)
   } else {
     secrets = JSON.parse(fs.readFileSync(filePath, 'utf8'))
@@ -94,7 +95,8 @@ export function loadSecretsFromEncryptedJsonFileValues(
   let secrets: StringMap = JSON.parse(fs.readFileSync(filePath, 'utf8'))
 
   if (secretEncryptionKey) {
-    secrets = decryptObject(secrets, secretEncryptionKey)
+    const encKeyBuffer = Buffer.from(secretEncryptionKey, 'base64')
+    secrets = decryptObject(secrets, encKeyBuffer)
   }
 
   Object.entries(secrets).forEach(([k, v]) => (secretMap[k.toUpperCase()] = v))